I'm building a web application in Java EE 6 which is deployed to JBoss AS 7.1
I am using security at beans level (using @RolesAllowed({ "useradmin", "usernormal" }) annotation) and at the front end level (securing xthtm pages int the web.xml).
The authentication is done in JBoss, using its user management or LDAP (just a config change in the standalone.xml).
The whole security framework is working perfectly, even too well if dare say...
Problem
I also have a scheduler using the Java EE TimerService. It can accept different type of jobs, that can be scheduled later in time (original feature for a scheduler...).
I start having problems when the scheduler needs to run jobs that use some business logic beans, which are protected using the @RolesAllowed annotation. In that case, the security framework does its job and denies access to the scheduler.
Questions
Is there a way to programmatically give security privilege to my bean containing the scheduler?
Is it possible to fake an http session for the scheduler?
If so, what are the best practices to store login/password? I imagine it would be quite bad to hardcode them in a static variable...
